netstat.tproj/ipsec.c

   1 /*      $FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.1.2.3 2001/08/10 09:07:09 ru Exp $    */
   2 /*      $NetBSD: inet.c,v 1.35.2.1 1999/04/29 14:57:08 perry Exp $      */
   3 /*      $KAME: ipsec.c,v 1.25 2001/03/12 09:04:39 itojun Exp $  */
   4
   5 /*
   6  * Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
   7  * All rights reserved.
   8  *
   9  * Redistribution and use in source and binary forms, with or without
  10  * modification, are permitted provided that the following conditions
  11  * are met:
  12  * 1. Redistributions of source code must retain the above copyright
  13  *    notice, this list of conditions and the following disclaimer.
  14  * 2. Redistributions in binary form must reproduce the above copyright
  15  *    notice, this list of conditions and the following disclaimer in the
  16  *    documentation and/or other materials provided with the distribution.
  17  * 3. Neither the name of the project nor the names of its contributors
  18  *    may be used to endorse or promote products derived from this software
  19  *    without specific prior written permission.
  20  *
  21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
  22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
  25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  31  * SUCH DAMAGE.
  32  */
  33
  34 /*
  35  * Copyright (c) 1983, 1988, 1993
  36  *      The Regents of the University of California.  All rights reserved.
  37  *
  38  * Redistribution and use in source and binary forms, with or without
  39  * modification, are permitted provided that the following conditions
  40  * are met:
  41  * 1. Redistributions of source code must retain the above copyright
  42  *    notice, this list of conditions and the following disclaimer.
  43  * 2. Redistributions in binary form must reproduce the above copyright
  44  *    notice, this list of conditions and the following disclaimer in the
  45  *    documentation and/or other materials provided with the distribution.
  46  * 3. All advertising materials mentioning features or use of this software
  47  *    must display the following acknowledgement:
  48  *      This product includes software developed by the University of
  49  *      California, Berkeley and its contributors.
  50  * 4. Neither the name of the University nor the names of its contributors
  51  *    may be used to endorse or promote products derived from this software
  52  *    without specific prior written permission.
  53  *
  54  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
  55  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  56  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  57  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
  58  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  59  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  60  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  61  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  62  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  63  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  64  * SUCH DAMAGE.
  65  */
  66
  67 #include <sys/cdefs.h>
  68 #ifndef lint
  69 /*
  70 static char sccsid[] = "@(#)inet.c      8.5 (Berkeley) 5/24/95";
  71 */
  72 static const char rcsid[] =
  73   "$FreeBSD: src/usr.bin/netstat/ipsec.c,v 1.1.2.3 2001/08/10 09:07:09 ru Exp $";
  74 #endif /* not lint */
  75
  76 #include <sys/param.h>
  77 #include <sys/queue.h>
  78 #include <sys/socket.h>
  79
  80 #include <netinet/in.h>
  81
  82 #ifdef IPSEC
  83 #include <netinet6/ipsec.h>
  84 #include <netkey/keysock.h>
  85 #endif
  86
  87 #include <stdio.h>
  88 #include <string.h>
  89 #include <unistd.h>
  90 #include "netstat.h"
  91
  92 #ifdef __APPLE__
  93 #define __unused
  94 #endif
  95 /*
  96  * portability issues:
  97  * - bsdi[34] uses PLURAL(), not plural().
  98  * - freebsd2 can't print "unsigned long long" properly.
  99  */
 100 /*
 101  * XXX see PORTABILITY for the twist
 102  */
 103 #define LLU     "%llu"
 104 #define CAST    unsigned long long
 105
 106 #ifdef IPSEC
 107 struct val2str {
 108         int val;
 109         const char *str;
 110 };
 111
 112 static struct val2str ipsec_ahnames[] = {
 113         { SADB_AALG_NONE, "none", },
 114         { SADB_AALG_MD5HMAC, "hmac-md5", },
 115         { SADB_AALG_SHA1HMAC, "hmac-sha1", },
 116         { SADB_X_AALG_MD5, "md5", },
 117         { SADB_X_AALG_SHA, "sha", },
 118         { SADB_X_AALG_NULL, "null", },
 119 #ifdef SADB_X_AALG_SHA2_256
 120         { SADB_X_AALG_SHA2_256, "hmac-sha2-256", },
 121 #endif
 122 #ifdef SADB_X_AALG_SHA2_384
 123         { SADB_X_AALG_SHA2_384, "hmac-sha2-384", },
 124 #endif
 125 #ifdef SADB_X_AALG_SHA2_512
 126         { SADB_X_AALG_SHA2_512, "hmac-sha2-512", },
 127 #endif
 128         { -1, NULL },
 129 };
 130
 131 static struct val2str ipsec_espnames[] = {
 132         { SADB_EALG_NONE, "none", },
 133         { SADB_EALG_DESCBC, "des-cbc", },
 134         { SADB_EALG_3DESCBC, "3des-cbc", },
 135         { SADB_EALG_NULL, "null", },
 136 #ifdef SADB_X_EALG_RC5CBC
 137         { SADB_X_EALG_RC5CBC, "rc5-cbc", },
 138 #endif
 139         { SADB_X_EALG_CAST128CBC, "cast128-cbc", },
 140         { SADB_X_EALG_BLOWFISHCBC, "blowfish-cbc", },
 141 #ifdef SADB_X_EALG_RIJNDAELCBC
 142         { SADB_X_EALG_RIJNDAELCBC, "rijndael-cbc", },
 143 #endif
 144         { -1, NULL },
 145 };
 146
 147 static struct val2str ipsec_compnames[] = {
 148         { SADB_X_CALG_NONE, "none", },
 149         { SADB_X_CALG_OUI, "oui", },
 150         { SADB_X_CALG_DEFLATE, "deflate", },
 151         { SADB_X_CALG_LZS, "lzs", },
 152         { -1, NULL },
 153 };
 154
 155 static const char *pfkey_msgtypenames[] = {
 156         "reserved", "getspi", "update", "add", "delete",
 157         "get", "acquire", "register", "expire", "flush",
 158         "dump", "x_promisc", "x_pchange", "x_spdupdate", "x_spdadd",
 159         "x_spddelete", "x_spdget", "x_spdacquire", "x_spddump", "x_spdflush",
 160         "x_spdsetidx", "x_spdexpire", "x_spddelete2"
 161 };
 162
 163 static struct ipsecstat ipsecstat;
 164
 165 static void print_ipsecstats (void);
 166 static const char *pfkey_msgtype_names (int);
 167 static void ipsec_hist (const u_quad_t *, size_t, const struct val2str *,
 168         const char *);
 169
 170 /*
 171  * Dump IPSEC statistics structure.
 172  */
 173 static void
 174 ipsec_hist(const u_quad_t *hist,
 175            size_t histmax,
 176            const struct val2str *name,
 177            const char *title)
 178 {
 179         int first;
 180         size_t proto;
 181         const struct val2str *p;
 182
 183         first = 1;
 184         for (proto = 0; proto < histmax; proto++) {
 185                 if (hist[proto] <= 0)
 186                         continue;
 187                 if (first) {
 188                         printf("\t%s histogram:\n", title);
 189                         first = 0;
 190                 }
 191                 for (p = name; p && p->str; p++) {
 192                         if (p->val == (int)proto)
 193                                 break;
 194                 }
 195                 if (p && p->str) {
 196                         printf("\t\t%s: " LLU "\n", p->str, (CAST)hist[proto]);
 197                 } else {
 198                         printf("\t\t#%ld: " LLU "\n", (long)proto,
 199                             (CAST)hist[proto]);
 200                 }
 201         }
 202 }
 203
 204 static void
 205 print_ipsecstats(void)
 206 {
 207 #define p(f, m) if (ipsecstat.f || sflag <= 1) \
 208     printf(m, (CAST)ipsecstat.f, plural(ipsecstat.f))
 209 #define hist(f, n, t) \
 210     ipsec_hist((f), sizeof(f)/sizeof(f[0]), (n), (t));
 211
 212         p(in_success, "\t" LLU " inbound packet%s processed successfully\n");
 213         p(in_polvio, "\t" LLU " inbound packet%s violated process security "
 214                 "policy\n");
 215         p(in_nosa, "\t" LLU " inbound packet%s with no SA available\n");
 216         p(in_inval, "\t" LLU " invalid inbound packet%s\n");
 217         p(in_nomem, "\t" LLU " inbound packet%s failed due to insufficient memory\n");
 218         p(in_badspi, "\t" LLU " inbound packet%s failed getting SPI\n");
 219         p(in_ahreplay, "\t" LLU " inbound packet%s failed on AH replay check\n");
 220         p(in_espreplay, "\t" LLU " inbound packet%s failed on ESP replay check\n");
 221         p(in_ahauthsucc, "\t" LLU " inbound packet%s considered authentic\n");
 222         p(in_ahauthfail, "\t" LLU " inbound packet%s failed on authentication\n");
 223         hist(ipsecstat.in_ahhist, ipsec_ahnames, "AH input");
 224         hist(ipsecstat.in_esphist, ipsec_espnames, "ESP input");
 225         hist(ipsecstat.in_comphist, ipsec_compnames, "IPComp input");
 226
 227         p(out_success, "\t" LLU " outbound packet%s processed successfully\n");
 228         p(out_polvio, "\t" LLU " outbound packet%s violated process security "
 229                 "policy\n");
 230         p(out_nosa, "\t" LLU " outbound packet%s with no SA available\n");
 231         p(out_inval, "\t" LLU " invalid outbound packet%s\n");
 232         p(out_nomem, "\t" LLU " outbound packet%s failed due to insufficient memory\n");
 233         p(out_noroute, "\t" LLU " outbound packet%s with no route\n");
 234         hist(ipsecstat.out_ahhist, ipsec_ahnames, "AH output");
 235         hist(ipsecstat.out_esphist, ipsec_espnames, "ESP output");
 236         hist(ipsecstat.out_comphist, ipsec_compnames, "IPComp output");
 237 #undef p
 238 #undef hist
 239 }
 240
 241 void
 242 ipsec_stats(u_long off __unused, char *name, int af __unused)
 243 {
 244         if (off == 0)
 245                 return;
 246         printf ("%s:\n", name);
 247         kread(off, (char *)&ipsecstat, sizeof (ipsecstat));
 248
 249         print_ipsecstats();
 250 }
 251
 252 static const char *
 253 pfkey_msgtype_names(int x)
 254 {
 255         const int max =
 256             sizeof(pfkey_msgtypenames)/sizeof(pfkey_msgtypenames[0]);
 257         static char buf[10];
 258
 259         if (x < max && pfkey_msgtypenames[x])
 260                 return pfkey_msgtypenames[x];
 261         snprintf(buf, sizeof(buf), "#%d", x);
 262         return buf;
 263 }
 264
 265 void
 266 pfkey_stats(u_long off __unused, char *name, int af __unused)
 267 {
 268         struct pfkeystat pfkeystat;
 269         unsigned first, type;
 270
 271         if (off == 0)
 272                 return;
 273         printf ("%s:\n", name);
 274         kread(off, (char *)&pfkeystat, sizeof(pfkeystat));
 275
 276 #define p(f, m) if (pfkeystat.f || sflag <= 1) \
 277     printf(m, (CAST)pfkeystat.f, plural(pfkeystat.f))
 278
 279         /* kernel -> userland */
 280         p(out_total, "\t" LLU " request%s sent to userland\n");
 281         p(out_bytes, "\t" LLU " byte%s sent to userland\n");
 282         for (first = 1, type = 0;
 283              type < sizeof(pfkeystat.out_msgtype)/sizeof(pfkeystat.out_msgtype[0]);
 284              type++) {
 285                 if (pfkeystat.out_msgtype[type] <= 0)
 286                         continue;
 287                 if (first) {
 288                         printf("\thistogram by message type:\n");
 289                         first = 0;
 290                 }
 291                 printf("\t\t%s: " LLU "\n", pfkey_msgtype_names(type),
 292                         (CAST)pfkeystat.out_msgtype[type]);
 293         }
 294         p(out_invlen, "\t" LLU " message%s with invalid length field\n");
 295         p(out_invver, "\t" LLU " message%s with invalid version field\n");
 296         p(out_invmsgtype, "\t" LLU " message%s with invalid message type field\n");
 297         p(out_tooshort, "\t" LLU " message%s too short\n");
 298         p(out_nomem, "\t" LLU " message%s with memory allocation failure\n");
 299         p(out_dupext, "\t" LLU " message%s with duplicate extension\n");
 300         p(out_invexttype, "\t" LLU " message%s with invalid extension type\n");
 301         p(out_invsatype, "\t" LLU " message%s with invalid sa type\n");
 302         p(out_invaddr, "\t" LLU " message%s with invalid address extension\n");
 303
 304         /* userland -> kernel */
 305         p(in_total, "\t" LLU " request%s sent from userland\n");
 306         p(in_bytes, "\t" LLU " byte%s sent from userland\n");
 307         for (first = 1, type = 0;
 308              type < sizeof(pfkeystat.in_msgtype)/sizeof(pfkeystat.in_msgtype[0]);
 309              type++) {
 310                 if (pfkeystat.in_msgtype[type] <= 0)
 311                         continue;
 312                 if (first) {
 313                         printf("\thistogram by message type:\n");
 314                         first = 0;
 315                 }
 316                 printf("\t\t%s: " LLU "\n", pfkey_msgtype_names(type),
 317                         (CAST)pfkeystat.in_msgtype[type]);
 318         }
 319         p(in_msgtarget[KEY_SENDUP_ONE],
 320             "\t" LLU " message%s toward single socket\n");
 321         p(in_msgtarget[KEY_SENDUP_ALL],
 322             "\t" LLU " message%s toward all sockets\n");
 323         p(in_msgtarget[KEY_SENDUP_REGISTERED],
 324             "\t" LLU " message%s toward registered sockets\n");
 325         p(in_nomem, "\t" LLU " message%s with memory allocation failure\n");
 326 #undef p
 327 }
 328 #endif /*IPSEC*/